DOCSLIB.ORG

Encryption § Digital Signature § Anonymity Protocols § Etc

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Encryption § Digital Signature § Anonymity Protocols § Etc CS 2, Conference of PhD Students in Computer Science 4th July, 2002. Efficiency Analysis and Comparison of Public Key Algorithms Csilla Endrodi BUTE DMIS, Ph.D. student [email protected] S E A R C H Laboratory ContentsContents § Public Key Algorithms – Existing Algorithms – Differences – RSA – ECC § Analysis and Comparison – The Measured Data – The Correspondence for the Comparison – Software Implementation and Measuring Environment § Results – Time of Execution – Size of Data Files § Summary 2. PublicPublic KeyKey AlgorithmsAlgorithms There exist several public key algorithms. Mathematical Hard Problems: § Integer Factorisation Problem (IFP) § Discrete Logarithm Problem (DLP) § Elliptic Curve Discrete Logarithm Problem (ECDLP) § Lattice Reduction – or Closest Vector Problem (CVP) § others… Data Security Functions: § Key Agreement § Encryption § Digital Signature § Anonymity Protocols § etc. Public Key Cryptography Algorithms Algorithms Based On DLP: § Diffie-Hellmann Key Agreement (DH) § Diffie-Hellmann Key Agreement 2 (DH2) § El-Gamal Encryption Scheme § Menezes-Qu-Vanstone (MQV) § Efficient Compact Subgroup Trace Representation (XTR) § Digital Signature Algorithm (DSA) § BlumGoldwasser § Zheng-Seberry § Ballare-Rogaway § Nyberg-Rueppel Signature Scheme § Schnorr Algorithms based on IFP: § RSA § Rabin-Williams 4. Public Key Cryptography Algorithms Algorithms based on ECDLP: § Elliptic Curve Diffie-Hellmann Key Agreement (ECDH) § Elliptic Curve Menezes-Qu-Vanstone (ECMQV) § Elliptic Curve Integrated Encryption Scheme (ECIEC) § Elliptic Curve Digital Signature Algorithm (ECDSA) § Elliptic Curve Nyberg-Rueppel (ECNR) Other: § LUCDIF § LUCELG § LUCRSA § Merkle-Hellmann § Chor-Rivest § NTRU § McEliece 5. Public Key Cryptography Algorithms Algorithms based on ECDLP: § Elliptic Curve Diffie-Hellmann Key Agreement (ECDH) § Elliptic Curve Menezes-Qu-Vanstone (ECMQV) § Elliptic Curve Integrated Encryption Scheme (ECIEC) § Elliptic Curve Digital Signature Algorithm (ECDSA) § Elliptic Curve Nyberg-Rueppel (ECNR) Other: Currently most of § LUCDIF the applications § LUCELG uses RSA. § LUCRSA § Merkle-Hellmann § Chor-Rivest § NTRU § McEliece 5. Public Key Cryptography Algorithms Algorithms based on ECDLP: § Elliptic Curve Diffie-Hellmann Key Agreement (ECDH) § Elliptic Curve Menezes-Qu-Vanstone (ECMQV) § Elliptic Curve Integrated Encryption Scheme (ECIEC) § Elliptic Curve Digital Signature Algorithm (ECDSA) § Elliptic Curve Nyberg-Rueppel (ECNR) Other: Currently most of § LUCDIF the applications § LUCELG uses RSA. § LUCRSA § Merkle-Hellmann § Chor-Rivest A new promising § NTRU alternative is ECC. § McEliece 5. Public Key Cryptography Algorithms Differences Ø They accomplish the same data security functions, Ø BUT they are even not absolutely interchangeable. Differences: § Different mathematical background – Incompatible parameters (publ., sec. keypairs, common param.) – Different limitations – Different efficiency feature during their usage § The best known, general breaking algorithms are different – Different requirements for key size belonging to a defined security level 6. Public Key Cryptography Algorithms Differences Ø They accomplish the same data security functions, Ø BUT they are even not absolutely interchangeable. Differences: § Different mathematical background – Incompatible parameters (publ., sec. keypairs, common param.) – Different limitations – Different efficiency feature during their usage § The best known, general breaking algorithms are different – Different requirements for key size belonging to a defined security level Which to chose? Security level: Must be clearly defined as an assumption – Their limitations of the operation – Their efficiency characteristics (not only the key size!) 6. Public Key Cryptography Algorithms Differences Ø They accomplish the same data security functions, Ø BUT they are even not absolutely interchangeable. Differences: § Different mathematical background – Incompatible parameters (publ., sec. keypairs, common param.) – Different limitations – Different efficiency feature during their usage § The best known, general breaking algorithms are different – Different requirements for key size belonging to a defined security level Which to chose? Security level: Must be clearly defined as an assumption – Their limitations of the operation – Their efficiency characteristics (not only the key size!) How to compare them? The incompatibility of the algorithms becomes their comparison difficult. 6. Public Key Cryptography Algorithms RSA algorithm (1978) RSA Key Generation: p, q primes; m = p*q F(m) = (p-1) * (q-1) e optional: 1 £ e £ F(m); (e, F(m)) = 1 Public Key: (e, m) Secret Key: (d, m) Encryption Function: E(x) = xe mod m; ! x < m; Decryption Function: D(y) = yd mod m § It has not been broken for a quarter of century § Its security is not proved § Simple, fine mathematical background: modulo arithmetic § It had been the patent of the RSA Security Inc. up to 20 Sept. 2000. § The most wide-spread public key algorithm § Typical parameters: 512-4096-bit modulus; recommended: 1024 bit § Speed-up: choose for ‘e’ a small value (e = 65537 = 10001h) § The maximal size of data that can be encrypted in one step is determined by the modulus 7. Public Key Cryptography Algorithms ECC ECC algorithm (1985-) Common parameters: E(K) elliptic curve, B base point Secret Key: k; random number; k < order of the group Public Key: P (= BÄBÄ … ÄB = k¤B) Encryption Function : E(M) = (Y1, Y2); Y1 = r¤B; Y2 = M Ä r¤(k¤B); r random integer Decryption Function : D(Y1, Y2) = Y2 Ä (-) k¤ Y1 § Quite young § Difficult mathematical background: group over the points of EC § Breaking methods are also slower To reach a given security level a much smaller key size is needed in case of ECC than in case of RSA, that is the „security-per-key-bit” rate is higher. § Parameters: § Size of Key: 110 - 570-bit key; recommended: 160-bit. § Common parameters: recommended (ANSI, Certicom) § Speed-up: Precomputed tables for B and P. 8. Public Key Cryptography Algorithms ECC ECC algorithm (1985-) Common parameters: E(K) elliptic curve, B base point Secret Key: k; random number; k < order of the group Public Key: P (= BÄBÄ … ÄB = k¤B) Encryption Function : E(M) = (Y1, Y2); Y1 = r¤B; Y2 = M Ä r¤(k¤B); r random integer Decryption Function : D(Y1, Y2) = Y2 Ä (-) k¤ Y1 § Quite young § Difficult mathematical background: group over the points of EC § Breaking methods are also slower To reach a given security level a much smaller key size is needed in case of ECC than in case of RSA, that is the „security-per-key-bit” rate is higher. § Parameters: § Size of Key: 110 - 570-bit key; recommended: 160-bit. § Common parameters: recommended (ANSI, Certicom) § Speed-up: Precomputed tables for B and P. 8. AnalysisAnalysis andand ComparisonComparison Aims: Ø Analysis: Mapping the dependencies between the parameter setting and the efficiency features. Ø Comparison: Compare the chosen algorithms and try to specify the better one. 9. AnalysisAnalysis andand ComparisonComparison Aims: Ø Analysis: Mapping the dependencies between the parameter setting and the efficiency features. Ø Comparison: Compare the chosen algorithms and try to specify the better one. Which operations? Tests were made with ECC and with RSA during the - Key Generation - Establishment Common Parameters - Encryption - Decryption - Signing - Signature Verification 9. Analysis and Comparison Introduction of the Measurement Process The measured datas were What data? – the time of execution – and the size of data, namely: - size of the Common Parameter Files, - size of the Public and Secret Key Files, - size of the Encrypted Data Files, - size of the Signature Files The parameters of the operations are: Depending on what? - the size of the applied key - the size and content of the input data Other facts having effect for the efficiency behaviour: - In RSA the value of the exponent (little or great) - In ECC that precomputed tables were used or not - In ECC the type of the group (GF(2n) or GF(p) ); in case of GF(2n) the type of the generator polynomial (trinomial or pentanomial): ECP, EC2NT and EC2NP 10. Analysis and Comparison Analysis High number of the test cases: § Many sub-types of the algorithms § The changeable parameters and many kind of their possible values with ECC ab. 4000, with RSA more, than 2000 measures. 11. Analysis and Comparison Analysis High number of the test cases: § Many sub-types of the algorithms § The changeable parameters and many kind of their possible values with ECC ab. 4000, with RSA more, than 2000 measures. Comparison What datas to compare? Incompatible algorithms: § Different security „meaning” of the key sizes § Algorithm sub-types It had to be made correspondence with each other somehow. 11. Analysis and Comparison How to make correspondence? (1) Size of Keys: The starting assumption: The Security Level Key Size ~ Level of Security Comparison by Identical Security Level Providing Key Sizes Adequate pairs are determined on the ground of international research results. RSA (bit) ECC (bit) 512 113 768 136 1024 160 2048 282 4096 409 (2) Type of Algorithms: Can not be ordered together at all. Handled as further versions of the algorithms. RSA: 3 relevant sub-cases depending on the public exponent: e = 3; e = 65537; e = random. ECC: 3 relevant sub-cases depending on the type of the applied group: GF(p); GF(2n) trinomial; GF(2n) pentanomial. 12. Analysis and Comparison The selected software implementation: Crypto++ § Open source § Implements the required ECC and RSA
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Bilinear Map Cryptography from Progressively Weaker Assumptions
    Full version of an extended abstract published in Proceedings of CT-RSA 2013, Springer-Verlag, Feb. 2013. Available from the IACR Cryptology ePrint Archive as Report 2012/687. The k-BDH Assumption Family: Bilinear Map Cryptography from Progressively Weaker Assumptions Karyn Benson, Hovav Shacham ∗ Brent Watersy University of California, San Diego University of Texas at Austin fkbenson, [email protected] [email protected] February 4, 2013 Abstract Over the past decade bilinear maps have been used to build a large variety of cryptosystems. In addition to new functionality, we have concurrently seen the emergence of many strong assump- tions. In this work, we explore how to build bilinear map cryptosystems under progressively weaker assumptions. We propose k-BDH, a new family of progressively weaker assumptions that generalizes the de- cisional bilinear Diffie-Hellman (DBDH) assumption. We give evidence in the generic group model that each assumption in our family is strictly weaker than the assumptions before it. DBDH has been used for proving many schemes secure, notably identity-based and functional encryption schemes; we expect that our k-BDH will lead to generalizations of many such schemes. To illustrate the usefulness of our k-BDH family, we construct a family of selectively secure Identity-Based Encryption (IBE) systems based on it. Our system can be viewed as a generalization of the Boneh-Boyen IBE, however, the construction and proof require new ideas to fit the family. We then extend our methods to produces hierarchical IBEs and CCA security; and give a fully secure variant. In addition, we discuss the opportunities and challenges of building new systems under our weaker assumption family.
    [Show full text]
  • Circuit-Extension Handshakes for Tor Achieving Forward Secrecy in a Quantum World
    Proceedings on Privacy Enhancing Technologies ; 2016 (4):219–236 John M. Schanck*, William Whyte, and Zhenfei Zhang Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world Abstract: We propose a circuit extension handshake for 2. Anonymity: Some one-way authenticated key ex- Tor that is forward secure against adversaries who gain change protocols, such as ntor [13], guarantee that quantum computing capabilities after session negotia- the unauthenticated peer does not reveal their iden- tion. In doing so, we refine the notion of an authen- tity just by participating in the protocol. Such pro- ticated and confidential channel establishment (ACCE) tocols are deemed one-way anonymous. protocol and define pre-quantum, transitional, and post- 3. Forward Secrecy: A protocol provides forward quantum ACCE security. These new definitions reflect secrecy if the compromise of a party’s long-term the types of adversaries that a protocol might be de- key material does not affect the secrecy of session signed to resist. We prove that, with some small mod- keys negotiated prior to the compromise. Forward ifications, the currently deployed Tor circuit extension secrecy is typically achieved by mixing long-term handshake, ntor, provides pre-quantum ACCE security. key material with ephemeral keys that are discarded We then prove that our new protocol, when instantiated as soon as the session has been established. with a post-quantum key encapsulation mechanism, Forward secret protocols are a particularly effective tool achieves the stronger notion of transitional ACCE se- for resisting mass surveillance as they resist a broad curity. Finally, we instantiate our protocol with NTRU- class of harvest-then-decrypt attacks.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange
    Overview of post-quantum public-key cryptosystems for key exchange Annabell Kuldmaa Supervised by Ahto Truu December 15, 2015 Abstract In this report we review four post-quantum cryptosystems: the ring learning with errors key exchange, the supersingular isogeny key exchange, the NTRU and the McEliece cryptosystem. For each protocol, we introduce the underlying math- ematical assumption, give overview of the protocol and present some implementa- tion results. We compare the implementation results on 128-bit security level with elliptic curve Diffie-Hellman and RSA. 1 Introduction The aim of post-quantum cryptography is to introduce cryptosystems which are not known to be broken using quantum computers. Most of today’s public-key cryptosys- tems, including the Diffie-Hellman key exchange protocol, rely on mathematical prob- lems that are hard for classical computers, but can be solved on quantum computers us- ing Shor’s algorithm. In this report we consider replacements for the Diffie-Hellmann key exchange and introduce several quantum-resistant public-key cryptosystems. In Section 2 the ring learning with errors key exchange is presented which was introduced by Peikert in 2014 [1]. We continue in Section 3 with the supersingular isogeny Diffie–Hellman key exchange presented by De Feo, Jao, and Plut in 2011 [2]. In Section 5 we consider the NTRU encryption scheme first described by Hoffstein, Piphe and Silvermain in 1996 [3]. We conclude in Section 6 with the McEliece cryp- tosystem introduced by McEliece in 1978 [4]. As NTRU and the McEliece cryptosys- tem are not originally designed for key exchange, we also briefly explain in Section 4 how we can construct key exchange from any asymmetric encryption scheme.
    [Show full text]
  • DRAFT Special Publication 800-56A, Recommendation for Pair-Wise Key
    The attached DRAFT document (provided here for historical purposes) has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-56A Revision 2 Title: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography Publication Date: 05/13/2013 • Final Publication: https://doi.org/10.6028/NIST.SP.800-56Ar2 (which links to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf). • Information on other NIST Computer Security Division publications and programs can be found at: http://csrc.nist.gov/ The following information was posted with the attached DRAFT document: Aug 20, 2012 SP 800-56 A Rev.1 DRAFT Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) NIST announces the release of draft revision of Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes. The revision is made on the March 2007 version. The main changes are listed in Appendix D. Please submit comments to 56A2012rev-comments @ nist.gov with "Comments on SP 800-56A (Revision)" in the subject line. The comment period closes on October 31, 2012. NIST Special Publication 800-56A Recommendation for Pair-Wise August 2012 Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) Elaine Barker, Lily Chen, Miles Smid and Allen Roginsky C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes.
    [Show full text]
  • Guidelines on Cryptographic Algorithms Usage and Key Management
    EPC342-08 Version 7.0 4 November 2017 [X] Public – [ ] Internal Use – [ ] Confidential – [ ] Strictest Confidence Distribution: Publicly available GUIDELINES ON CRYPTOGRAPHIC ALGORITHMS USAGE AND KEY MANAGEMENT Abstract This document defines guidelines on cryptographic algorithms usage and key management. Document Reference EPC342-08 Issue Version 7.0 Date of Issue 22 November 2017 Reason for Issue Maintenance of document Produced by EPC Authorised by EPC Document History This document was first produced by ECBS as TR 406, with its latest ECBS version published in September 2005. The document has been handed over to the EPC which is responsible for its yearly maintenance. DISCLAIMER: Whilst the European Payments Council (EPC) has used its best endeavours to make sure that all the information, data, documentation (including references) and other material in the present document are accurate and complete, it does not accept liability for any errors or omissions. EPC will not be liable for any claims or losses of any nature arising directly or indirectly from use of the information, data, documentation or other material in the present document. Conseil Européen des Paiements AISBL– Cours Saint-Michel 30A – B 1040 Brussels Tel: +32 2 733 35 33 – Fax: +32 2 736 49 88 Enterprise N° 0873.268.927 – www.epc-cep.eu – [email protected] © 2016 Copyright European Payments Council (EPC) AISBL: Reproduction for non-commercial purposes is authorised, with acknowledgement of the source Table of Content MANAGEMENT SUMMARY ............................................................. 5 1 INTRODUCTION .................................................................... 7 1.1 Scope of the document ...................................................... 7 1.2 Document structure .......................................................... 7 1.3 Recommendations ............................................................ 8 1.4 Implementation best practices .........................................
    [Show full text]
  • A Quantum-Safe Circuit-Extension Handshake for Tor
    A quantum-safe circuit-extension handshake for Tor John Schanck, William Whyte, and Zhenfei Zhang Security Innovation, Wilmington, MA 01887 fjschanck,wwhyte,[email protected] Abstract. We propose a method for integrating NTRUEncrypt into the ntor key exchange protocol as a means of achieving a quantum-safe variant of forward secrecy. The proposal is a minimal change to ntor, essentially consisting of an NTRUEncrypt-based key exchange performed in parallel with the ntor handshake. Performance figures are provided demonstrating that the client bears most of the additional overhead, and that the added load on the router side is acceptable. We make this proposal for two reasons. First, we believe it to be an interesting case study into the practicality of quantum-safe cryptography and into the difficulties one might encounter when transi­ tioning to quantum-safe primitives within real-world protocols and code-bases. Second, we believe that Tor is a strong candidate for an early transition to quantum-safe primitives; users of Tor may be jus­ tifiably concerned about adversaries who record traffic in the present and store it for decryption when technology or cryptanalytic techniques improve in the future. 1 Introduction such as [12,23], as well as some Diffie-Hellman proto­ cols like ntor [8]. A key exchange protocol allows two parties who share no common secrets to agree on a common key over Forward secrecy. A protocol achieves forward secrecy a public channel. In addition to achieving this ba­ if the compromise of any party’s long-term key ma­ sic goal, key exchange protocols may satisfy various terial does not affect the secrecy of session keys de­ secondary properties that are deemed important to rived prior to the compromise.
    [Show full text]
  • Optimizing NTRU Using AVX2
    Master Thesis Computing Science Cyber Security Specialisation Radboud University Optimizing NTRU using AVX2 Author: First supervisor/assessor: Oussama Danba dr. Peter Schwabe Second assessor: dr. Lejla Batina July, 2019 Abstract The existence of Shor's algorithm, Grover's algorithm, and others that rely on the computational possibilities of quantum computers raise problems for some computational problems modern cryptography relies on. These algo- rithms do not yet have practical implications but it is believed that they will in the near future. In response to this, NIST is attempting to standardize post-quantum cryptography algorithms. In this thesis we will look at the NTRU submission in detail and optimize it for performance using AVX2. This implementation takes about 29 microseconds to generate a keypair, about 7.4 microseconds for key encapsulation, and about 6.8 microseconds for key decapsulation. These results are achieved on a reasonably recent notebook processor showing that NTRU is fast and feasible in practice. Contents 1 Introduction3 2 Cryptographic background and related work5 2.1 Symmetric-key cryptography..................5 2.2 Public-key cryptography.....................6 2.2.1 Digital signatures.....................7 2.2.2 Key encapsulation mechanisms.............8 2.3 One-way functions........................9 2.3.1 Cryptographic hash functions..............9 2.4 Proving security......................... 10 2.5 Post-quantum cryptography................... 12 2.6 Lattice-based cryptography................... 15 2.7 Side-channel resistance...................... 16 2.8 Related work........................... 17 3 Overview of NTRU 19 3.1 Important NTRU operations................... 20 3.1.1 Sampling......................... 20 3.1.2 Polynomial addition................... 22 3.1.3 Polynomial reduction.................. 22 3.1.4 Polynomial multiplication...............
    [Show full text]
  • How to Strengthen Ntruencrypt to Chosen-Ciphertext Security in the Standard Model
    NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model Ron Steinfeld1?, San Ling2, Josef Pieprzyk3, Christophe Tartary4, and Huaxiong Wang2 1 Clayton School of Information Technology Monash University, Clayton VIC 3800, Australia [email protected] 2 Div. of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, 637371 lingsan,[email protected] 3 Centre for Advanced Computing - Algorithms and Cryptography, Dept. of Computing, Macquarie University, Sydney, NSW 2109, Australia [email protected] 4 Institute for Theoretical Computer Science, Tsinghua University, People's Republic of China [email protected] Abstract. NTRUEncrypt is a fast and practical lattice-based public-key encryption scheme, which has been standardized by IEEE, but until re- cently, its security analysis relied only on heuristic arguments. Recently, Stehlé and Steinfeld showed that a slight variant (that we call pNE) could be proven to be secure under chosen-plaintext attack (IND-CPA), assum- ing the hardness of worst-case problems in ideal lattices. We present a variant of pNE called NTRUCCA, that is IND-CCA2 secure in the standard model assuming the hardness of worst-case problems in ideal lattices, and only incurs a constant factor overhead in ciphertext and key length over the pNE scheme. To our knowledge, our result gives the rst IND- CCA2 secure variant of NTRUEncrypt in the standard model, based on standard cryptographic assumptions. As an intermediate step, we present a construction for an All-But-One (ABO) lossy trapdoor function from pNE, which may be of independent interest. Our scheme uses the lossy trapdoor function framework of Peik- ert and Waters, which we generalize to the case of (k −1)-of-k-correlated input distributions.
    [Show full text]
  • On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected]
    1 On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected] Abstract—This paper discusses public-key authenticated key Elliptic Curve Cryptography (ECC) [10]. Using ECC essen- agreement protocols. First, we critically analyze several authen- tially replaces the underlying (multiplicative) cyclic group ticated key agreement protocols and uncover various theoretical with another (additive) cyclic group defined over some elliptic and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized curve. The essence of the protocol remains unchanged. by IEEE P1363. The first attack presents a counterexample to The acute problem with the Diffie-Hellman key agreement invalidate the basic authentication in HMQV. The second attack is that it is unauthenticated [2]. While secure against passive is applicable to almost all past schemes, despite that many of attackers, the protocol is inherently vulnerable to active attacks them have formal security proofs. These attacks highlight the such as the man-in-the-middle attack [6]. This is a serious lim- difficulty to design a crypto protocol correctly and suggest the caution one should always take. itation, which for many years has been motivating researchers We further point out that many of the design errors are caused to find a solution [3]–[5], [7], [9], [11], [13], [20]. by sidestepping an important engineering principle, namely To add authentication, we must start with assuming some “Do not assume that a message you receive has a particular shared secret. In general, there are two approaches.
    [Show full text]
  • Timing Attacks and the NTRU Public-Key Cryptosystem
    Eindhoven University of Technology BACHELOR Timing attacks and the NTRU public-key cryptosystem Gunter, S.P. Award date: 2019 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Timing Attacks and the NTRU Public-Key Cryptosystem by Stijn Gunter supervised by prof.dr. Tanja Lange ir. Leon Groot Bruinderink A thesis submitted in partial fulfilment of the requirements for the degree of Bachelor of Science July 2019 Abstract As we inch ever closer to a future in which quantum computers exist and are capable of break- ing many of the cryptographic algorithms that are in use today, more and more research is being done in the field of post-quantum cryptography.
    [Show full text]